Xen 3.4.x Backports

Xen 3.4.x Backports

[Jonathan Tripathy]

[-- Attachment #1.1: Type: text/plain, Size: 1857 bytes --]

Hi Keith,

CC: Xen-devel Mailing List

I've noticed that you seem to be a major contributor with regards to 
keeping the 3.4.x branch updated with backported security patches. As 
Xen security is a high priority, I hope you don't mind me discussing 
with you whether some CVEs are backported or not. I really appreciate 
your time to read this email. Of course, the rest of the list can chime 
in as always!


    CVE-2011-2901:

http://www.openwall.com/lists/oss-security/2011/09/02/2

The patch performs the following:

-    (((unsigned long)(addr)<  (1UL<<48)) || \
+    (((unsigned long)(addr)<  (1UL<<47)) || \


I see that the Xen security advisory says that only hypervisors 3.3 or 
earlier are affected. However, I note that in later versions of Xen, the 
line changed in the patch remains untouched. Any ideas why this is the 
case? Additionally, Redhat in their advisories claim to fix this issue 
in their kernel update. How can this be, given that this is a Xen 
hypervisor issue?


    CVE-2011-1898

http://old-list-archives.xen.org/archives/html/xen-devel/2011-05/msg00687.html

Any idea when this can be backported to 3.4.x? I see that this has made 
it to 4.1-testing stable branch

****CVE-2012-0029**
http://seclists.org/oss-sec/2012/q1/360

Maybe this is currently impossible to get going on the 3.4.x branch as 
the upstream qemu trees don't have a 3.4.x Xen patch for this?

*CVE-2011-1166*
https://bugzilla.redhat.com/show_bug.cgi?id=688579
http://xenbits.xen.org/hg/staging/xen-unstable.hg/rev/c79aae866ad8

Again, this doesn't appear to be backported to 3.4.x, however I note 
that Red Hat claim to have fixed this in their kernel version. This is 
where I get confused again. How can a hypervisor issue be fixed in the 
kernel??

Once again, I really appreciate your time, and I'm very sorry if I'm 
wasting it!

Thanks,

Jonathan

[-- Attachment #1.2: Type: text/html, Size: 4809 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: Xen 3.4.x Backports

[Fajar A. Nugraha]

On Wed, Feb 29, 2012 at 6:36 AM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:
> CVE-2011-1166
> https://bugzilla.redhat.com/show_bug.cgi?id=688579
> http://xenbits.xen.org/hg/staging/xen-unstable.hg/rev/c79aae866ad8
>
> Again, this doesn't appear to be backported to 3.4.x, however I note that
> Red Hat claim to have fixed this in their kernel version. This is where I
> get confused again. How can a hypervisor issue be fixed in the kernel??

Redhat bundles the hypervisor (xen.gz) as part of their kernel-xen
rpm, while xen rpm only contains the userland part. So if you have
three different versions of kernel-xen rpm installed, you'd have three
versions of hypervisors.

-- 
Fajar

Re: Xen 3.4.x Backports

[Jonathan Tripathy]

On 28/02/2012 23:47, Fajar A. Nugraha wrote:
> On Wed, Feb 29, 2012 at 6:36 AM, Jonathan Tripathy<jonnyt@abpni.co.uk>  wrote:
>> CVE-2011-1166
>> https://bugzilla.redhat.com/show_bug.cgi?id=688579
>> http://xenbits.xen.org/hg/staging/xen-unstable.hg/rev/c79aae866ad8
>>
>> Again, this doesn't appear to be backported to 3.4.x, however I note that
>> Red Hat claim to have fixed this in their kernel version. This is where I
>> get confused again. How can a hypervisor issue be fixed in the kernel??
> Redhat bundles the hypervisor (xen.gz) as part of their kernel-xen
> rpm, while xen rpm only contains the userland part. So if you have
> three different versions of kernel-xen rpm installed, you'd have three
> versions of hypervisors.
Interesting!

What we currently do is use CentOS's kernel-xen purely for the Linux 
Kernel, however we use the xen.gz (3.4.x) image from GitCo. Is this bad? 
It's been a very stable combination for us.

I take it this means, for my security concerns, that I have to rely on 
what has been backported to the 3.4.x branch in xenbits, as I'm not 
using Red Hat's backports?

Sorry that I'm a bit confused here

Re: Xen 3.4.x Backports

[Fajar A. Nugraha]

On Wed, Feb 29, 2012 at 6:51 AM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:
>
> On 28/02/2012 23:47, Fajar A. Nugraha wrote:
>>
>> On Wed, Feb 29, 2012 at 6:36 AM, Jonathan Tripathy<jonnyt@abpni.co.uk>
>>  wrote:
>>>
>>> CVE-2011-1166
>>> https://bugzilla.redhat.com/show_bug.cgi?id=688579
>>> http://xenbits.xen.org/hg/staging/xen-unstable.hg/rev/c79aae866ad8
>>>
>>> Again, this doesn't appear to be backported to 3.4.x, however I note that
>>> Red Hat claim to have fixed this in their kernel version. This is where I
>>> get confused again. How can a hypervisor issue be fixed in the kernel??
>>
>> Redhat bundles the hypervisor (xen.gz) as part of their kernel-xen
>> rpm, while xen rpm only contains the userland part. So if you have
>> three different versions of kernel-xen rpm installed, you'd have three
>> versions of hypervisors.
>
> Interesting!
>
> What we currently do is use CentOS's kernel-xen purely for the Linux Kernel,
> however we use the xen.gz (3.4.x) image from GitCo. Is this bad?

It depends :)

> It's been a
> very stable combination for us.
>
> I take it this means, for my security concerns, that I have to rely on what
> has been backported to the 3.4.x branch in xenbits, as I'm not using Red
> Hat's backports?

You could take a look at what redhat has done, and see if you can
integrate the patches into Gitco's RPM.

If you only use block device backend (i.e. phy:/), it might be easier
to just switch to xen-4.1.2 + latest upstream kernel (e.g. using
kernel-ml 3.x rpm from elrpo.org). That way you can easily apply
latest security patches yourself, without having to backport it.

-- 
Fajar

Re: Xen 3.4.x Backports

[Ian Campbell]

On Tue, 2012-02-28 at 23:36 +0000, Jonathan Tripathy wrote:
> Hi Keith,

On a related note it would be very useful if
http://wiki.xen.org/wiki/Security_Announcements could be updated when
security fixes corresponding to Xen.org security vulnerability
disclosures are added to the 3.4 branch. Keith, can you do that? If not
then if you drop me a line each time I'll take care of it for you.

> CVE-2011-2901:
> http://www.openwall.com/lists/oss-security/2011/09/02/2
> 
> The patch performs the following:
> -    (((unsigned long)(addr) < (1UL<<48)) || \
> +    (((unsigned long)(addr) < (1UL<<47)) || \
> 
> I see that the Xen security advisory says that only hypervisors 3.3 or
> earlier are affected. However, I note that in later versions of Xen,
> the line changed in the patch remains untouched. Any ideas why this is
> the case?

The problem has been fixed in xen-unstable. However only 3.3 and earlier
were actually vulnerable due to the issue and so it has not been
backported the stable branches.

[...]

I've left the others for Keith to comment on as 3.4 maintainer.

Ian

Re: Xen 3.4.x Backports

[Keith Coleman]

On Wed, Feb 29, 2012 at 4:53 AM, Ian Campbell <Ian.Campbell@citrix.com> wrote:
> On Tue, 2012-02-28 at 23:36 +0000, Jonathan Tripathy wrote:
>> Hi Keith,

Jonathan,

Thank you for bringing up these issues. I will resolve them.

>
> On a related note it would be very useful if
> http://wiki.xen.org/wiki/Security_Announcements could be updated when
> security fixes corresponding to Xen.org security vulnerability
> disclosures are added to the 3.4 branch. Keith, can you do that? If not
> then if you drop me a line each time I'll take care of it for you.
>

Certainly!


--
Keith Coleman

Re: Xen 3.4.x Backports

[Jonathan Tripathy]

On 01/03/2012 11:40, Keith Coleman wrote:
> On Wed, Feb 29, 2012 at 4:53 AM, Ian Campbell<Ian.Campbell@citrix.com>  wrote:
>> On Tue, 2012-02-28 at 23:36 +0000, Jonathan Tripathy wrote:
>>> Hi Keith,
> Jonathan,
>
> Thank you for bringing up these issues. I will resolve them.
>
>> On a related note it would be very useful if
>> http://wiki.xen.org/wiki/Security_Announcements could be updated when
>> security fixes corresponding to Xen.org security vulnerability
>> disclosures are added to the 3.4 branch. Keith, can you do that? If not
>> then if you drop me a line each time I'll take care of it for you.
>>
> Certainly!
>
>
> --
> Keith Coleman
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel
Hi Keith,

Is there any update regarding the issue of backporting a few patches, as 
per my post from February? The CVEs in question are:

CVE-2011-2901
CVE-2011-1898
CVE-2012-0029
CVE-2011-1166

I'm also guessing that 3.4.5 will be released very soon, due to the 
recent CVEs (http://lists.xen.org/archives/html/xen-announce/2012-06/) ?

I appreciate your time

Many Thanks

Jonathan